refpolicy/policy/modules/kernel/devices.te

   1
   2 policy_module(devices,1.1.13)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 attribute device_node;
  10 attribute memory_raw_read;
  11 attribute memory_raw_write;
  12 attribute devices_unconfined_type;
  13
  14 #
  15 # device_t is the type of /dev.
  16 #
  17 type device_t;
  18 fs_associate_tmpfs(device_t)
  19 files_type(device_t)
  20 files_mountpoint(device_t)
  21 files_associate_tmp(device_t)
  22
  23 # Only directories and symlinks should be labeled device_t.
  24 # If there are other files with this type, it is wrong.
  25 # Relabelto is allowed for setfiles to function, in case
  26 # a device node has no specific type yet, but is for some
  27 # reason labeled with a specific type
  28 #cjp: want this, but udev policy breaks this
  29 #neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
  30
  31 #
  32 # Type for /dev/agpgart
  33 #
  34 type agp_device_t;
  35 dev_node(agp_device_t)
  36
  37 #
  38 # Type for /dev/apm_bios
  39 #
  40 type apm_bios_t;
  41 dev_node(apm_bios_t)
  42
  43 type cardmgr_dev_t;
  44 dev_node(cardmgr_dev_t)
  45 files_tmp_file(cardmgr_dev_t)
  46
  47 #
  48 # clock_device_t is the type of
  49 # /dev/rtc.
  50 #
  51 type clock_device_t;
  52 dev_node(clock_device_t)
  53
  54 #
  55 # cpu control devices /dev/cpu/0/*
  56 #
  57 type cpu_device_t;
  58 dev_node(cpu_device_t)
  59
  60 # for the IBM zSeries z90crypt hardware ssl accelorator
  61 type crypt_device_t;
  62 dev_node(crypt_device_t)
  63
  64 type dri_device_t;
  65 dev_node(dri_device_t)
  66
  67 type event_device_t;
  68 dev_node(event_device_t)
  69
  70 #
  71 # Type for framebuffer /dev/fb/*
  72 #
  73 type framebuf_device_t;
  74 dev_node(framebuf_device_t)
  75
  76 #
  77 # Type for /dev/mapper/control
  78 #
  79 type lvm_control_t;
  80 dev_node(lvm_control_t)
  81
  82 #
  83 # memory_device_t is the type of /dev/kmem,
  84 # /dev/mem and /dev/port.
  85 #
  86 type memory_device_t;
  87 dev_node(memory_device_t)
  88
  89 neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
  90 neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
  91
  92 type misc_device_t;
  93 dev_node(misc_device_t)
  94
  95 #
  96 # A more general type for mouse devices.
  97 #
  98 type mouse_device_t;
  99 dev_node(mouse_device_t)
 100
 101 #
 102 # Type for /dev/cpu/mtrr and /proc/mtrr
 103 #
 104 type mtrr_device_t;
 105 dev_node(mtrr_device_t)
 106 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 107
 108 #
 109 # null_device_t is the type of /dev/null.
 110 #
 111 type null_device_t;
 112 dev_node(null_device_t)
 113 mls_trusted_object(null_device_t)
 114 sid devnull gen_context(system_u:object_r:null_device_t,s0)
 115
 116 #
 117 # Type for /dev/pmu
 118 #
 119 type power_device_t;
 120 dev_node(power_device_t)
 121
 122 type printer_device_t;
 123 dev_node(printer_device_t)
 124
 125 #
 126 # random_device_t is the type of /dev/random
 127 #
 128 type random_device_t;
 129 dev_node(random_device_t)
 130
 131 type scanner_device_t;
 132 dev_node(scanner_device_t)
 133
 134 #
 135 # Type for sound devices and mixers
 136 #
 137 type sound_device_t;
 138 dev_node(sound_device_t)
 139
 140 #
 141 # sysfs_t is the type for the /sys pseudofs
 142 #
 143 type sysfs_t;
 144 files_mountpoint(sysfs_t)
 145 fs_type(sysfs_t)
 146 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 147
 148 #
 149 # urandom_device_t is the type of /dev/urandom
 150 #
 151 type urandom_device_t;
 152 dev_node(urandom_device_t)
 153
 154 #
 155 # usbfs_t is the type for the /proc/bus/usb pseudofs
 156 #
 157 type usbfs_t alias usbdevfs_t;
 158 files_mountpoint(usbfs_t)
 159 fs_noxattr_type(usbfs_t)
 160 genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
 161 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 162
 163 #
 164 # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
 165 #
 166 type usb_device_t;
 167 dev_node(usb_device_t)
 168
 169 type v4l_device_t;
 170 dev_node(v4l_device_t)
 171
 172 # Type for vmware devices.
 173 type vmware_device_t;
 174 dev_node(vmware_device_t)
 175
 176 type watchdog_device_t;
 177 dev_node(vmware_device_t)
 178
 179 type xen_device_t;
 180 dev_node(xen_device_t)
 181
 182 type xserver_misc_device_t;
 183 dev_node(xserver_misc_device_t)
 184
 185 #
 186 # zero_device_t is the type of /dev/zero.
 187 #
 188 type zero_device_t;
 189 dev_node(zero_device_t)
 190 mls_trusted_object(zero_device_t)
 191
 192 ########################################
 193 #
 194 # Rules for all device nodes
 195 #
 196
 197 fs_associate(device_node)
 198 fs_associate_tmpfs(device_node)
 199
 200 files_associate_tmp(device_node)
 201
 202 ########################################
 203 #
 204 # Unconfined access to this module
 205 #
 206
 207 allow devices_unconfined_type self:capability sys_rawio;
 208 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
 209 allow devices_unconfined_type mtrr_device_t:{ dir file } *;